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Security method for transmissions in telecommunication networks 



Field of the invention 

The invention relates to a method for providing connection security 
for transmission between the communicating parties in a telecommunication 
network. 

Background of the invention 

At the beginning of a communication a handshake is usually per- 
formed between applications in telecommunication networks, during which 
the parties involved typically authenticate each other and exchange key in- 
formation, for example, negotiate an encryption algorithm and cryptographic 
keys to be used in communication. It is only after the handshake that the 
actual data is transmitted. The confidentiality of the transmission is arranged, 
for example, through ciphering. Figures 1a and 1b of the attached drawings 
show block diagrams of two known cipher algorithms which can be used to 
protect a transmission: a symmetric and a public key algorithm. 

Figure 1a shows a symmetric algorithm based on a secret key 
shared between the participants. At party A's end the message M to be sent 
to party B is encrypted in box E of Figure 1a with the shared secret key K. 
The message is sent over a transmission route as encrypted cipher text C, 
which party B can decrypt in box D shown in Figure 1a with the same secret 
key K. Through decryption party B gets the original message M. An intruder 
eavesdropping transmission needs to know the secret key K in order to be 
able to read and understand the transmitted cipher text C. The encryption 
and decryption of the symmetric algorithm can be expressed by the equa- 
tions: 

C = E K (M) 
M = D K (C), 

where C is the cipher text, M is the message in plain text, E K is the 
encryption with key K, and D K is the decryption with key K. 

Figure 1b shows a public key algorithm which is an asymmetric ap- 
proach. This algorithm is based on two keys: a public key and a private key. 
These two keys are related in such a manner that a message encrypted with 
a public key K + can only be decrypted with the corresponding private key K. 
and vice versa. In Figure 1b a message M is encrypted at party A's end in 
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box E with the public key K+ of the intended receiver, that is party B. The en- 
crypted cipher text C is transmitted over a transmission line to party B's end, 
where the cipher text C is decrypted in box D with the corresponding party 
B's private key K. and the original message M is retrieved. The encryption 
and decryption of the asymmetric algorithm can also be expressed by the 
following equations: 

C = E B + (M) 

M = D B -(C), 

where C is the cipher text, M is the message in plain text, E B + is en- 
cryption with the receiver's public key K B + , and D B ~ is decryption with the re- 
ceiver's private key K B ". 

In the public key algorithm the encryption of a message with the pri- 
vate key K. of the message sender acts as a signature, since anyone can 
decrypt the message with the known public key K + of the sender. Since 
asymmetric keys are usually much longer than symmetric keys, the asym- 
metric algorithm requires much more processing power. Thus asymmetric 
algorithms are unsuitable for encrypting large amounts of data. 

A hybrid cryptography uses both the above-mentioned algorithms to- 
gether. For example, only session keys are exchanged using public key al- 
gorithm, and the rest of the communication is encrypted with symmetric 
method. 

To provide message integrity and authentication in a connection, a 
message authentication code MAC is calculated and attached to the trans- 
mitted message. For example, MAC can be calculated with a one-way hash 
algorithm in the following way: 

h = H(K, M, K), 

where K is the key, M is the message, and H is the hash function. 
The input cannot be deduced from the output. When MAC is attached to a 
message, the message cannot be corrupted or impersonated. The receiving 
party calculates MAC using the received message and the same hash func- 
tion and key as the transmitting party and compares this calculated MAC to 
the MAC attached to the message in order to verify it. 

Figure 2 shows examples for communication connections. A mobile 
station MS operating in the GSM network (Global System for Mobile commu- 
nications) is able to make a connection to a bank directly from the GSM net- 
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work. Other possible connections presented in Figure 2 are connections from 
the GSM network to different services via gateway GW and Internet. In mo- 
bile communication networks, such as the GSM, the air interface from the 
mobile station MS to the GSM network is well protected against misuse, but 
the rest of the transmission route is as vulnerable as any other public tele- 
phone network, providing measures are not taken to provide connection se- 
curity. 

One problem with providing connection security is that handshaking 
requires plenty of processing time since several messages must be sent 
between the parties involved. The low processing power and narrow band- 
width in the mobile stations make handshakes particularly burdensome in 
mobile communication networks. Handshakes are also burdensome for ap- 
plications which have numerous simultaneous transactions, for example, a 
server in a bank. Therefore, it is desirable to minimize the number and dura- 
tion of the handshakes. This leads to the problem that an attacker has lots of 
time for cryptanalysis, as the same encryption keys are used between the 
two handshakes. If the attacker succeeds in the cryptanalysis, he can access 
all the material sent between the two handshakes. 

Summary of the invention 

The object of this invention is to provide a method for securely pro- 
tecting transmitted information between communicating applications, espe- 
cially over narrow-band connections, without unnecessarily loading the 
communicating parties. 

This is achieved by using a method according to the invention char- 
acterized by what is stated in the independent claim 1. Special embodiments 
of the invention are presented in the dependent claims. 

The invention is based on the idea that the communicating parties 
recalculate the security parameters during the transmission session simulta- 
neously with each other at agreed intervals and the continue communicating 
and providing connection security for messages with these new parameters. 
The communicating parties monitor the time for recalculation and at the 
agreed intervals recalculate and thus change the security parameters without 
a handshake taking place. In the primary embodiment of the invention, the 
messages are numbered and the number agreed on triggers recalculation at 
intervals. 
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The advantage of the method according to the invention is that secu- 
rity parameters can be changed during the session without handshaking. 
This reduces the need for handshakes. 

Another advantage of the method according to the invention is that 
5 the security of the transmission is improved, i.e. attacking is made more diffi- 
cult and less profitable. 

Brief description of the drawings 

The description of the preferred embodiments of the invention will 
10 now be made with reference to the attached drawings, in which 

Figure 1a shows a symmetric ciphering algorithm as a block diagram; 
Figure 1b shows an asymmetric ciphering algorithm as a^block diagram; 
Figure 2 gives a few examples of connections from a mobile communica- 
tion network to some applications; 
15 Figure 3 shows session keys providing connection security for transmitted 
messages according to the primary embodiment of the invention; 
and 

a Figure 4 shows the primary embodiment of the invention as a flowchart. 
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O 20 Detailed description of the invention 

2f The present invention can be applied to any telecommunication net- 

t w , J; 

p work. Below the invention is described in more detail using as an example a 

mobile station operating in the digital GSM mobile communication system 
and communicating with an application located either inside or outside the 

25 GSM network. 

In the following the primary embodiment of the invention is described 
in more detail with reference to Figures 2, 3 and 4. 

Figure 2 shows example connections as described earlier. The mo- 
bile station MS contacting the server in the bank first performs a handshake 

30 according to the prior art, during which both the MS and the bank may 
authenticate the other and exchange any session key information needed. 
According to the invention, for example, during the handshake, a mobile sta- 
tion and an application in the bank negotiate and agree on appropriate inter- 
vals for recalculating the security parameters to be used to provide privacy, 

35 data integrity and authentication during the communication. For example, the 
negotiation can be implemented so that each of the communicating parties, 
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i.e. in the example in Figure 2 the mobile station MS and the application in 
the bank, propose a suitable interval for recalculation and one of the pro- 
posed intervals is chosen and agreed upon, for example, the one that is 
more frequent. Examples for suitable parameters to determine intervals are a 
5 message sequence number, such as every fourth message, or a suitable 
time period. Even if handshaking is not needed and therefore not performed 
at the beginning of the communication session, according to the invention 
the communicating parties still need to agree on recalculation intervals. 

After agreeing on the intervals for recalculation both the parties 

10 monitor the agreed intervals. If an interval after four messages is agreed on, 
either both parties monitor the number of messages sent, which requires a 
reliable transmission media with no lost messages, or they number all trans- 
mitted messages and transmit these sequence numbers with the messages. 
The advantage of sending the sequence numbers or time stamps with the 

15 messages is that the recalculation is synchronous at both ends even though 
some messages get lost along the way or messages received are not in cor- 
rect order. When in the example described above the fourth message is 
transmitted and received, both the communicating parties recalculate the se- 
curity parameters and use these new parameters for providing connection 

20 security for the next four messages. A handshake or any other session key 
exchange is not performed during or after the recalculation of the parame- 
ters. The recalculation can be based on a shared secret and the latest se- 
quence number, for example. Security parameters can also be used to cal- 
culate session keys Kn for ciphering and the message authentication code 

25 MAC in the following way, for example: 
Kn = H(S, N) 
MAC = H(M, S, N), 

where H is a predetermined hash algorithm, S is the shared secret, 
N is the latest sequence number, and M is the message to be transmitted in 
30 plain text. 

Figure 3 shows an example of changing the session key according to 
the invention. In Figure 3 the messages sent from the MS are numbered with 
the sequence numbers 0 to 3. In the example in Figure 3, the interval for re- 
calculation is agreed to be after two sent messages. The message with se- 
35 quence number 0 is sent to the bank encrypted with session key K1. The 
application in the bank decrypts the message 0 with the same session key 
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K1 when symmetric algorithm is applied in ciphering. The message with se- 
quence number 1 is also sent encrypted with session key K1. As the mobile 
station MS has now sent two messages, both the MS and the application in 
the bank recalculate the security parameters, for example, the session key 
5 K2, using the shared secret and the latest sequence number that is 1. After 
recalculation the MS sends the next message 2 to the bank encrypted with 
session key K2. The application in the bank decrypts the message 2 with the 
same recalculated session key K2. Also the message 3 is encrypted with 
session key K2 before transmission. After that the MS and the application in 

10 the bank again notice that the agreed interval has been reached and both 
parties recalculate the security parameters, for example, the session key K3, 
using the shared secret and the latest sequence number 3. 

Figure 4 shows the primary embodiment of the invention as a flow- 
chart. At the beginning of a communication at step 41, the parties involved in 

15 communication, in the example in Figure 2 the MS and the application in the 
bank, negotiate and agree on the interval for security parameters recalcula- 
tion. As in the example described above, we again assume that the interval 
is agreed to be after two transmitted messages. Both communicating parties 
keep track of the number of transmitted messages, for example, with count- 

20 ers at each end. At stage 42 one of the communicating parties, for example, 
the MS, encrypts the first message to be sent with a session key K1 obtained 
from the shared secret that was exchanged during the handshake or other- 
wise shared with the parties involved. The encrypted message is sent and 
the receiving party decrypts the message with corresponding session key K1 

25 (stage 43). At this time the counter is set at 1. At stage 44 both parties, in 
this example the MS and the application in the bank, check whether the 
agreed interval has been reached by checking whether the value in the 
counter is equal to the value of the agreed interval, for example. As the mes- 
sage sent was only the first message, recalculation does not take place yet, 

30 and the next message is encrypted and decrypted with the same session key 
K1. When two messages have been sent, and the counters indicate the 
value 2 which corresponds to the value of the agreed interval, the clause at 
stage 44 becomes true and both communicating parties recalculate security 
parameters in a predetermined manner and obtain a new session key K2 

35 (stage 45). At stage 46 the interval monitoring is reset, i.e. the message 
count is restarted, for example, by setting the counter to 0. At stage 47 a 
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check is made as to whether there are still more messages to be sent, and if 
so the encryption of a message is continued at stage 42 with the first mes- 
sage to be encrypted using the latest session key K2, after which the mes- 
sage is sent and the counters may be set to value 1 . The process continues 
5 in similar manner until all the messages to be sent are transmitted. 

In another embodiment of the invention, MAC is used to provide 
connection security for message transmission in the place of ciphering. Ac- 
cording to the invention MAC is calculated, from the sequence number that 
last triggered recalculation of the security parameters, for example. In the 
10 example in Figure 3, MAC is calculated with the sequence number 1 for the 
messages shown as encrypted with K2 and with the sequence number 3 for 
the messages to be encrypted with K3. Otherwise this other embodiment of 
the invention is implemented in the same fashion as in the first embodiment 
Ul described above. 

f y 15 Yet another embodiment of the invention uses ciphering and MAC to 

kj provide connection security for messages. This is implemented by combining 

M] " *~ the embodiments described above. 

^ Recalculation of the security parameters includes also the possibility 

P of changing the ciphering algorithm to be used in ciphering the next mes- 

20 sages. 

:*0 The drawings and the accompanying explanation are only intended 

to demonstrate the principles of the invention. The details of the method ac- 
cording to the invention can vary within the patent claims. Although the in- 
vention was described above mostly in connection with a mobile station and 
25 service application communication, the invention can also be used for pro- 
viding connection security for messages between any two or more applica- 
tions communicating together, also in mobile to mobile connection in a 
speech, data and short message transmission. The invention is also suitable 
for use in recalculating other security parameters than session keys and 
30 MACs. The invention is not restricted for use only in connection with the ci- 
phering algorithms presented above, but can be applied together with any 
ciphering algorithms. 



